Tag: cybersecurity requirements for law firms

It Takes Hackers No Subpoena to Steal What Your Firm Knows

adminLeave a Comment on It Takes Hackers No Subpoena to Steal What Your Firm Knows

Privileged communications. Sealed depositions. Hundreds-million dollar acquisition plans. Law firms are virtually walking sheriffs and cybercriminals have long since discovered this. The cybersecurity for law firms is no longer an IT afterthought but now is a survival discussion, as a single breached credential can blow up a client list overnight. Consider it as follows – a company has taken thirty years to establish a reputation based on discretion, and one of its associates clicks a spoofed invoice email on a Tuesday, and the reputation of the company is in the news that no one wanted. Lawyers are slick, tactical, and unrelenting in courtroom but threats in cyberspace do not operate under discovery rules and time to object.

One of the most costly myths that are going around the legal industry today is the assumption that smaller practices go under the radar. Attackers do not necessarily target large corporations, in other cases they desire the quiet boutique firm on a hostile takeover deal that no one is aware of yet. The above document is a gold rush to a wrongdoer, and an organization with lax access controls is a far easier target than a highly secured establishment with a team of dedicated security staff. Multi-factor authentication, end to end encrypted communications, role based access permissions and regular patch management is not a luxury addition but the minimum floor on which every practice must stand before anything is any better.

Getting lawyers to literally adhere to security measures is a game by itself. They are conditioned to doubt, resist fixed systems and work with an incredible degree of autonomy – which are excellent traits in a courtroom and are truly deplorable cybersecurity behaviors. A statement that has predated numerous disastrous breaches is: “I will simply use my personal email, it is quicker. The limit here is the leadership. When senior attorneys make security policies a firm law and not a recommendation, the staff will obey the directives much better and the firm will cease being the weakest link in its own chain.

Continued education is better than single training in all instances. Monthly security briefings, fake phishing attacks, and open dialogues about actual breach situations keep individuals on their toes in a way that never-ending compliance checkboxes could never do. Combine that with multiple layers of technical defenses and a company creates something that attackers really need to work on, which, more than not, pushes them to find much easier targets elsewhere.